Key terms

This page provides key terminology that applies to Cloud Next Generation Firewall. Review these terms to better understand how Cloud NGFW works and the concepts on which it is built.

Address groups

Address groups are a logical collection of either IPv4 address ranges or IPv6 address ranges in CIDR format. You can use address groups to define consistent sources or destinations referenced by many firewall rules. For more information about address groups, see Address groups for firewall policies.

CIDR format

Classless Inter-Domain Routing (CIDR) format or notation is a method for representing an IP address and its subnet. It is an alternative to writing out an entire subnet mask. It consists of an IP address, followed by a forward slash (/), and a number. The number indicates the number of bits in the IP address that define the network portion.

Cloud NGFW

Cloud Next Generation Firewall is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external attacks. Cloud NGFW is available in three tiers: Cloud Next Generation Firewall Essentials, Cloud Next Generation Firewall Standard, and Cloud Next Generation Firewall Enterprise. For more information, see Cloud NGFW overview.

Cloud NGFW Essentials

Cloud Next Generation Firewall Essentials is the foundational firewall service offered by Google Cloud. It includes features and capabilities such as global network firewall policies and regional network firewall policies, Identity and Access Management (IAM)-governed Tags, Address groups, and Virtual Private Cloud (VPC) firewall rules. For more information, see Cloud NGFW Essentials overview.

Cloud NGFW Enterprise

Cloud Next Generation Firewall Enterprise provides advanced Layer 7 security capabilities that protect your Google Cloud workloads from threats and malicious attacks. It includes intrusion prevention service with Transport Layer Security (TLS) interception and decryption, which provides threat detection and prevention from malware, spyware, and command-and-control attacks on your network.

Cloud NGFW Standard

Cloud NGFW Standard extends the Cloud NGFW Essentials features to provide enhanced capabilities to protect your cloud infrastructure from malicious attacks. It includes features and capabilities such as threat intelligence for firewall policy rules, fully qualified domain name (FQDN) objects, and geolocation objects in firewall policy rules.

Firewall endpoint

A firewall endpoint is a Cloud NGFW resource that enables Layer 7 advanced protection capabilities, such as intrusion prevention, in your network. For more information, see Firewall endpoint overview.

Firewall rules

Firewall rules are the building blocks of network security. A firewall rule controls incoming or outgoing traffic to a virtual machine (VM) instance. By default, incoming traffic is blocked. For more information, see Firewall policies.

Firewall Rules Logging

Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine whether a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule. For more information, see Firewall Rules Logging.

Firewall policies

Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by IAM roles. Firewall policies are of three types, Hierarchical firewall policies, global network firewall policies, and regional network firewall policies. For more information, see Firewall policies.

Firewall policy rules

When you create a firewall policy rule, you specify a set of components that define what the rule does. These components specify traffic direction, source, destination, and Layer 4 characteristics such as protocol and destination port (if the protocol uses ports). These components are called firewall policy rules. For more information, see Firewall policy rules.

FQDN objects

A fully qualified domain name (FQDN) is the complete name of a specific resource on the internet. For example, cloud.google.com. FQDN objects in firewall policy rules filter incoming or outgoing traffic from or to a specific domain name. Based on the traffic direction, the IP addresses associated with the domain names are matched against the source or destination of the traffic. For more information, see FQDN objects.

Geolocation objects

Use geolocation objects in firewall policy rules to filter external IPv4 and external IPv6 traffic based on specific geographic locations or regions. You can use geolocation objects along with other source or destination filters. For information, see Geolocation objects.

Global network firewall policies

Global network firewall policies let you group rules into a policy object applicable to all regions (global). After you associate a global network firewall policy with a VPC network, the rules in the policy can apply to resources in the VPC network. For global network firewall policy specifications and details, see Global network firewall policies.

Hierarchical firewall policies

Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate Hierarchical firewall policies with an entire organization or individual folders. For Hierarchical firewall policies specifications and details, see Hierarchical firewall policies.

Identity and Access Management

Google Cloud's IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need. For more information, see IAM overview.

Implied rules

Every VPC network has two implied IPv4 firewall rules. If IPv6 is enabled in a VPC network, the network also has two implied IPv6 firewall rules. These rules are not shown in the Google Cloud console.

Implied IPv4 firewall rules are present in all VPC networks, regardless of how the networks are created or whether they are auto mode or custom mode VPC networks. The default network has the same implied rules. For more information, see Implied rules.

Intrusion prevention service

Cloud NGFW intrusion prevention service continuously monitors your Google Cloud workload traffic for any malicious activity and takes preemptive actions to prevent it. The malicious activity can include threats such as intrusions, malware, spyware, and command-and-control attacks on your network. For more information, Intrusion prevention service overview.

Network firewall policies

Network firewall policies also known as Firewall policies, let you group several firewall rules so that you can update them all at once, effectively controlled by IAM roles. These policies contain rules that can explicitly deny or allow connections, as do VPC firewall rules. This includes global and regional network firewall policies. For more information, see Firewall policies.

Network tags

A network tag is a character string that is added to a tags field in a resource such as Compute Engine VM instances or instance templates. A tag is not a separate resource, so you cannot create it separately. All resources with that string are considered to have that tag. Tags let you make VPC firewall rules and routes applicable to specific VM instances.

Packet Mirroring

Packet Mirroring clones the traffic of specific VM instances in your VPC network and forwards the traffic for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers. You can configure the capture for both egress and ingress traffic, only ingress traffic, or only egress traffic. Packet Mirroring is useful when you need to monitor and analyze your security status. It exports all traffic, not only the traffic between sampling periods.

Policy inheritance

By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on a folder, Google Cloud enforces the policy on all projects in the folder. To learn more about this behavior and how to change it, see Hierarchy evaluation rules.

Priority

The priority of a rule in a firewall policy is an integer from 0 to 2,147,483,647, inclusive. Lower integers indicate higher priorities. For more information, see Priority.

Regional network firewall policies

Regional network firewall policies let you group rules into a policy object that is applicable to a specific region. After you associate a regional network firewall policy with a VPC network, the rules in the policy can apply to resources within that region of the VPC network. For regional firewall policy specifications and details, see Regional network firewall policies.

Secure profiles

Secure or security profiles help you define Layer 7 inspection policy for your Google Cloud resources. They are generic policy structures that are used by firewall endpoints to scan intercepted traffic to provide application layer services, such as intrusion prevention. For more information, see Security profile overview.

Security profile groups

A security profile group is a container for security profiles. A firewall policy rule references a security profile group to enable Layer 7 inspection, such as intrusion prevention, on your network. For more information, see Security profile group overview.

Server Name Indication

Server Name Indication (SNI) is an extension to the TLS computer networking protocol. SNI lets multiple HTTPS sites share an IP and TLS certificate, which is more efficient and cost effective because you don't need individual certificates for each website on the same server.

Tags

The Google Cloud resource hierarchy is a way to organize your resources into a tree structure. This hierarchy helps you manage resources at scale, but it models only a few business dimensions, including organization structure, regions, workload types, and cost centers. The hierarchy lacks the flexibility to layer multiple business dimensions together.

Tags provide a way to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag. You can use tags and conditional enforcement of policies for fine-grained control across your resource hierarchy.

Tags are different from network tags. For more information about the differences between Tags and network tags, see Comparison of Tags and network tags.

Threat intelligence

Firewall policy rules let you secure your network by allowing or blocking traffic based on Threat Intelligence data. Threat Intelligence data includes lists of IP addresses based on the Tor exit nodes, known malicious IP addresses, search engines, and public cloud IP address ranges. For information, see Threat Intelligence for firewall policy rules.

Threat signature

Signature-based threat detection is one of the most commonly used mechanisms to identify malicious behavior, and is therefore widely used to prevent network attacks. Cloud NGFW's threat detection capabilities are powered by Palo Alto Networks threat prevention technologies. For more information, see Threat signatures overview.

Transport Layer Security inspection

Cloud NGFW offers a TLS interception and decryption service that can inspect encrypted and unencrypted traffic for network attacks and disruptions. TLS connections are inspected on both inbound and outbound connections, including traffic to and from the internet and traffic within Google Cloud.

Cloud NGFW decrypts the TLS traffic to enable the firewall endpoint to perform Layer 7 inspection, such as intrusion prevention, in your network. After the inspection, Cloud NGFW re-encrypts the traffic before sending it to its destination. For more information, see TLS inspection overview.

Tags for firewall

Tags are also referred to as secure tags. Tags let you define sources and targets in global network firewall policies and regional network firewall policies. Tags are different from network tags. Network tags are simple strings, not keys and values, and don't offer any kind of access control. For more information about the differences between Tags and network tags and what products support each one, see Comparison of Tags and network tags.

VPC firewall rules

VPC firewall rules let you allow or deny connections to or from VM instances in your VPC network. Enabled VPC firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up. These rules apply to a given project and network. For more information, see VPC firewall rules.

What's next